Initial skeleton: README, CVE inventory, roadmap, ARCH, ethics + copy_fail_family module absorbed from DIRTYFAIL
This commit is contained in:
+111
@@ -0,0 +1,111 @@
|
||||
# Roadmap
|
||||
|
||||
What's coming next, in priority order. Dates are aspirational, not
|
||||
commitments.
|
||||
|
||||
## Phase 0 — Bootstrap (DONE as of 2026-05-16)
|
||||
|
||||
- [x] Repo structure (modules/, core/, docs/, tools/, tests/)
|
||||
- [x] Absorbed DIRTYFAIL as the first module
|
||||
(`modules/copy_fail_family/`)
|
||||
- [x] Top-level README, CVES.md, ROADMAP.md, docs/ARCHITECTURE.md,
|
||||
docs/ETHICS.md
|
||||
- [x] LICENSE (MIT)
|
||||
- [x] Private GitHub repo
|
||||
|
||||
## Phase 1 — Make the bundling real (next session)
|
||||
|
||||
- [ ] Top-level `iamroot` dispatcher CLI (`iamroot.c`) — module
|
||||
registry, fingerprint, route to module's detect/exploit
|
||||
- [ ] Module interface header (`core/module.h`) — standard
|
||||
`iamroot_module` struct each module exports
|
||||
- [ ] Refactor `modules/copy_fail_family/` internals to expose the
|
||||
standard module interface
|
||||
- [ ] Extract shared code into `core/`: `apparmor_bypass.c`,
|
||||
`exploit_su.c`, `common.c`, `fcrypt.c` (currently duplicated
|
||||
under the absorbed DIRTYFAIL tree)
|
||||
- [ ] Top-level `Makefile` that builds all modules into one binary
|
||||
- [ ] Smoke test: `iamroot --scan --json` on Ubuntu 26.04
|
||||
produces sensible output
|
||||
|
||||
## Phase 2 — Add Dirty Pipe (CVE-2022-0847)
|
||||
|
||||
Public PoC, well-understood, useful for completeness — IAMROOT
|
||||
without Dirty Pipe is incomplete as a "historical bundle." Affects
|
||||
kernels ≤5.16.11/≤5.15.25/≤5.10.102 so coverage is older
|
||||
deployments (worth bundling — many production boxes still run
|
||||
these).
|
||||
|
||||
- [ ] `modules/dirty_pipe_cve_2022_0847/` — exploit + detect + range
|
||||
metadata
|
||||
- [ ] Test matrix: Ubuntu 20.04 (vulnerable kernels), Debian 11
|
||||
(vulnerable kernels), modern kernels (immune — should detect
|
||||
as patched)
|
||||
- [ ] Detection rules: auditd splice/pipe write patterns
|
||||
|
||||
## Phase 3 — Add EntryBleed (CVE-2023-0458) as stage-1 leak brick
|
||||
|
||||
EntryBleed is **not a standalone LPE**. It's a **kbase leak
|
||||
primitive** that other modules can chain. Bundle it because:
|
||||
|
||||
- Stage-1 of any future "build-your-own LPE" workflow
|
||||
- Detection rules for KPTI side-channel attempts are useful for
|
||||
defenders
|
||||
- Already works empirically on lts-6.12.88 (verified 2026-05-16)
|
||||
|
||||
- [ ] `modules/entrybleed_cve_2023_0458/` — leak primitive +
|
||||
detect-mitigations
|
||||
- [ ] Exposed as a library helper: other modules can call
|
||||
`entrybleed_leak_kbase()` when they need a kbase
|
||||
|
||||
## Phase 4 — CI matrix
|
||||
|
||||
- [ ] Distro+kernel VM matrix in GitHub Actions (Ubuntu 20.04 /
|
||||
22.04 / 24.04 / 26.04, Debian 11 / 12 / 13, Alma 8 / 9 / 10,
|
||||
Fedora 39 / 40 / 41)
|
||||
- [ ] Each module's exploit runs against matched-vulnerable VMs and
|
||||
MUST land root; runs against patched VMs and MUST fail at
|
||||
detect step
|
||||
- [ ] Nightly run; failures open issues automatically
|
||||
|
||||
## Phase 5 — Detection signature export
|
||||
|
||||
- [ ] `iamroot --detect-rules --format=sigma` — Sigma rules per CVE
|
||||
- [ ] `--format=yara` — YARA rules for static detection of exploit
|
||||
binaries
|
||||
- [ ] `--format=auditd` — auditd `.rules` snippets
|
||||
- [ ] `--format=falco` — Falco rule snippets
|
||||
- [ ] Sample SOC playbook in `docs/DETECTION_PLAYBOOK.md`
|
||||
|
||||
## Phase 6 — Mitigation mode
|
||||
|
||||
- [ ] `iamroot --mitigate` walks the host's vulnerabilities, applies
|
||||
temporary sysctl / module-blacklist / LSM workarounds
|
||||
- [ ] Per-CVE rollback procedure if the mitigation breaks something
|
||||
- [ ] Idempotent: running twice is safe
|
||||
|
||||
## Phase 7+ — More modules
|
||||
|
||||
Backfill of historical and recent LPEs as time allows:
|
||||
|
||||
- [ ] **CVE-2021-3493** — overlayfs nested-userns LPE
|
||||
- [ ] **CVE-2021-4034** — Pwnkit (pkexec env handling)
|
||||
- [ ] **CVE-2022-2588** — net/sched route4 dead UAF
|
||||
- [ ] **CVE-2023-2008** — vmwgfx OOB write
|
||||
- [ ] **CVE-2024-1086** — netfilter nf_tables UAF
|
||||
- [ ] Fragnesia (if it lands as a CVE)
|
||||
- [ ] Anything we ourselves disclose — bundled AFTER upstream patch
|
||||
ships (responsible-disclosure-first)
|
||||
|
||||
## Non-goals
|
||||
|
||||
- **No 0-day shipment.** Everything in IAMROOT is post-patch.
|
||||
- **No automated mass-targeting.** No host-list mode. No automatic
|
||||
pivoting.
|
||||
- **No persistence beyond `--exploit-backdoor`'s
|
||||
`/etc/passwd` overwrite**, which is overt and easily detected by
|
||||
any auditd rule we ship ourselves. Persistence-as-evasion is out
|
||||
of scope.
|
||||
- **No container-runtime escapes** unless they cleanly chain to
|
||||
host-root.
|
||||
- **No Windows / macOS / non-Linux targets.** Focus is the moat.
|
||||
Reference in New Issue
Block a user